Slashdot Mirror

← Back to Stories (view on slashdot.org)

Configuring a (User-Side) Hassle-Free Network?

Posted by Cliff on from the now-that-is-truly-plug-and-play dept.

braek asks: "I have been approached by a few locations (Hotels/Convention centers) in regards to providing high speed Internet to clients. Now, I'm sure this has been done a million and one times with a small x86 box running some flavor of Unix or BSD, however the thing that makes this somewhat of a more difficult chore, is the fact that the hotels and convention centers want absolutely NO reconfiguration to be required on the users laptops. So for example, the router must be able to route packets for people who have DHCP, as well as someone who has a static reserved IP address of 192.168.4.8 and someone who has a static global of 206.10.3.9. Basically the router should be able to route packets for the user regardless of their IP configuration. I Have looked around the web ad-nauseum but have found very little help. I'm thinking some form of transparent bridge or proxy-arp solution may be the key. Has anyone ever been in a situation like this, or have any ideas as to how this could be accomplished?"

6 of 87 comments (clear)

  1. Pray tell . . . by cjpez · · Score: 5, Insightful
    . . . what range of IPs would you assign when doing DHCP for someone, then? Someone's configuration is going to give you problems. If you assign someone a DHCP address in the 10.x.x.x block and then someone comes in with a static 10.x.x.x for some reason, you're screwed . . . I suppose in that scenario you could tell the DHCP server to not use that one IP address. But then what happens if the DHCP server assigns somone 10.0.10.10 and then someone comes in with that static IP? You've got a mess on your hands, that's what.

    Not to mention if someone comes in with a laptop that has a publicly-accessible IP; it's possible, anyway. How will you know to route that properly? I suppose that's pretty farfetched, actually, because the person with a publicly-available static IP on a laptop wouldn't expect it to work outside the network it usually sits in. But still, if that's one of your requirements, what then? Where does traffic to that IP route? Out to the world the way it's supposed to, or inside your hotel network? If you allow global IPs and do some funky route hacking, it would be trivial for someone to boot up their laptop with an IP of 216.239.39.101 and suddenly nobody in the hotel can get to Google. Bad idea.

    Someone's toes are going to have to be stepped on somewhere along the line. Someone else can come around and prove me wrong, though, if they can. :)

    --
    Al Qaeda has ninjas!
    1. Re:Pray tell . . . by tps12 · · Score: 4, Funny
      But then what happens if the DHCP server assigns somone 10.0.10.10 and then someone comes in with that static IP?

      Could you possibly keep track of MAC addresses and check every N packets whether there has been a change?

      If you allow global IPs and do some funky route hacking, it would be trivial for someone to boot up their laptop with an IP of 216.239.39.101 and suddenly nobody in the hotel can get to Google.

      Known as a "man-in-the-lobby" attack. ;)

      --

      Karma: Good (despite my invention of the Karma: sig)
  2. Re:ARP-Proxy is way to go by squeegee-me · · Score: 4, Informative

    Try this here there was a space.

    --
    Who wants Pork Chops?
  3. Another option by photon317 · · Score: 4, Insightful


    The consensus (probably correct) is that it's going to be quite difficult to implement, and it will always have corner cases which cause problems and maintenance nightmares, or worse hijacking of public sites.

    So here's a semi-manual different approach:

    Setup the yadda yadda yadda firewall+nat+dhcp standard setup, assuming that all clients are set for dhcp.

    Build a "laptop checker" box with a port hanging out at the reception desk. Inform clients that if they use DHCP (autodetect) like most companies do, they will be fine. If they have doubts or don't know, you can test their laptop's network compatibility for them.

    They plug into the network jack, either a green, yellow or red light lights up near the jack (linux can easily control LEDs :)

    Green means the test machine got a DHCP request from the laptop, so it should be ok.

    Yellow means no DHCP request, and we saw traffic sourced from some random IP. The IP was pinged for on the outside internet, and found to be non-responsive (unlikely hijacking), and doesn't seem wierd in any other way (multicast IP, or the IP of one of your routers, or the IP of another Yellow Light customer currently checked in, or anything else goofy). The receptionist can then (from some little gui) tell the network tester to allow them access. This turns on a special route for them on the inside, and sets it to be removed when they check out. They are warned that if they got the yellow light, we can't support any technical problems they may experience.

    A Red light means there was no DHCP response, and either we didnt see any traffic at all to look at, or they have some bad IP we dont want to assign. We dont add any routes, and we tell them it won't work.

    In both yellow and red conditions, you probably want a little handout to give them that walks through the basics of making your laptop autoconfig so it will work "properly".

    --
    11*43+456^2
  4. Re:Switch w/VLAN tagging to Host by regen · · Score: 5, Insightful

    In my haste to reply quickly, I left out details that I thought would be clearly seen once I said use a switch with vlan tagging.

    The upload to the host/router is via trunk port on the switch which is a member of all vlans. Since it is a trunk port the switch will forward the frame which the 802.1q tags on the frames.

    The host/router is configured with virtual interfaces on each vlan. Since the tags are present it can determine which packets belong to which ports on the switch.

    The host/router will use NAT/PAT to map the entire 0/0 address space to a single IP. Thus it will not matter what address is statically assigned to the laptop.

    Since the ARP request will be confined to the VLAN only the host/router will see them and can respond with it's MAC address, thus it will become the gateway router for that port. Likewise you can map services that you would like to provide locally such as DNS this way (or just let DNS pass)

    Of course, if they send a DHCP request you don't need to do all this work.

    You should be able to do this with of the shelf components. A Cisco 3700 series router could handle a small setup and a Cisco Catalyst 5500/6500 with RSM could handle much larger setups. Any CCIE with much VLAN experience should be able to set this up.

    If you want to go Open Source, you could use a Catalyst 5500/6500 with an OpenBSD/Linux/FreeBSD box instead of the RSM. You could even throw a bunch of quad nic into a box instead of using a switch but that would be a mess to manage.

    --
    The Economics of Website Security
  5. Call people who have already done it by PD · · Score: 4, Informative

    The Mariott Hotel in Dallas (can't remember which one exactly) already does this. Your configuration matters not a bit. Just plug it in and go.

    Give them a call and find out what they are running, and who provided the solution.

    --
    If tits were wings it'd be flying around.